Looks like CA.sh doesn't create crlnumber file in demoCA and openssl ca crl
complains about it.
With CA.pl This steps worked.
mkdir RootCA
cp ../openssl-1.0.1h/apps/CA.pl .
chmod +x CA.pl
./CA.pl -newca (Just Enter, will create RootCA)
./CA.pl -newreq
./CA.pl -signCA
cat demoCA/cacert.pem >> newcert.pem
cat newkey.pem >> newcert.pem
mkdir LEVEL1
cp newcert.pem LEVEL1/
cp CA.pl LEVEL1/
cd LEVEL1/
./CA.pl -newca (Enter newcer.pem on prompt, will create directory
structure for LEVEL1 CA).
openssl ca -gencrl -crldays 60 -keyfile demoCA/private/cakey.pem
-out crl01.pem
openssl crl -in crl01.pem -text
(Here config file is taken from default location).
On Tue, Aug 12, 2014 at 4:45 PM, Jayadev Kumar <[email protected]>
wrote:
> ./CA.sh -newca (Script on a fresh directory creates demoCA directory
> with RootCA and Privatekey)
> ./CA.sh -newreq (creates a new cert request, with newcert.pem and
> newkey.pem)
> ./CA.sh -signCA (Sign the new req as CA, with RootCA).
>
> You can find the CA.sh in 'openssl-1.0.1h/apps' directory.
>
> -Jayadev.
>
>
> On Tue, Aug 12, 2014 at 2:55 PM, lux-integ <[email protected]>
> wrote:
>
>> Greetings
>>
>>
>> I am trying to learn how to set up a small multilevel CA. Im using the
>> openssl-1.0.1h. And the computer runs linux. I did the following:
>>
>>
>> --A- generate rootCA
>> openssl req \
>> -new \
>> -config openssl.cnf_ \
>> -out ROOTCAReq.pem \
>> -keyout ROOTCAKey.pem \
>>
>>
>> -B- generated a crl )r rootCA with
>> openssl ca \
>> -gencrl \
>> -config openssl.cnf \
>> -out crl/crl01.pem \
>>
>>
>>
>>
>> -C- setup LEVEL1 CA with
>>
>> openssl req \
>> -new \
>> -config openssl.cnf \
>> -out level1/LEVELCAReq.pem \
>> -keyout level1/private/LEVEL1CAKey.pem \
>>
>> ( then sign it with the ROOTCAkey. )
>>
>>
>> --D- created a certificate trust chain with
>>
>> cat ROOTCACert.pem level1/LEVEL1CACert.pem >\
>> TrustChainCACert.pem
>>
>>
>> --E-- tried to generate crl for LEVEL1 CA with
>>
>> openssl ca \
>> -gencrl \
>> -crldays 60 \
>> -config openssl.cnf \
>> -keyfile LEVEL1CAKey.pem \
>> -out level1/crl/crl01.pem \
>>
>>
>> but I keep getting the following errors:-
>> ################
>> Using configuration from openssl.cnf
>> Error opening CA private key level1/private/LEVEL1CAKey.pem
>> 139899027933056:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:398:fopen('level1/private/LEVEL1CAKey.pem','r')
>> 139899027933056:error:20074002:BIO routines:FILE_CTRL:system
>> lib:bss_file.c:400:
>> unable to load CA private key
>> ##############
>>
>> help would be apprecuiated
>>
>>
>> sincerely
>> luxInteg
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List [email protected]
>> Automated List Manager [email protected]
>>
>
>
